On Fri, Jan 17, 2025 at 12:38:41PM +0300, Dan Carpenter wrote:
> The "pipe" variable is a u8 which comes from the network. If it's more
> than 127, then it results in memory corruption in the caller,
> nci_hci_connect_gate().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Hi Dan,
Based on your analysis, which I agree with, this looks good.
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
But this is a limited review, as I am not sufficiently familiar with NFC
to go by much more than your analysis. A review by Krzysztof would be great.
> ---
> net/nfc/nci/hci.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
> index de175318a3a0..082ab66f120b 100644
> --- a/net/nfc/nci/hci.c
> +++ b/net/nfc/nci/hci.c
> @@ -542,6 +542,8 @@ static u8 nci_hci_create_pipe(struct nci_dev *ndev, u8 dest_host,
>
> pr_debug("pipe created=%d\n", pipe);
>
> + if (pipe >= NCI_HCI_MAX_PIPES)
> + pipe = NCI_HCI_INVALID_PIPE;
Ceci n'est pas une pipe [1]
> return pipe;
> }
[1] https://en.wikipedia.org/wiki/The_Treachery_of_Images
